Custom Role Mapping Provider in Weblogic

The default (that is, active) security realm for WebLogic Server includes a WebLogic Role Mapping provider. The WebLogic Role Mapping provider computes dynamic security roles for a specific user (subject) with respect to a specific protected WebLogic resource for each of the default users and WebLogic resources. The WebLogic Role Mapping provider supports the deployment and undeployment of security roles within the system. The WebLogic Role Mapping provider uses the same security policy engine as the WebLogic Authorization provider. If you want to use a role mapping mechanism that already exists within your organization, you could create a custom role mapping provider to tie into that system.

You need 3 Files, a XML File with the configuration, the Provider and the Implementation of a Role.

The Config File:

<?xml version="1.0" ?>
<!DOCTYPE MBeanType SYSTEM "commo.dtd">

<MBeanType
 Name          = "MYRoleMapper"
 DisplayName   = "MYRoleMapper"
 Package       = "MY.security"
 Extends       = "weblogic.management.security. authorization.RoleMapper"
 PersistPolicy = "OnUpdate"
>
 <MBeanAttribute
  Name          = "ProviderClassName"
  Type          = "java.lang.String"
  Writeable     = "false"
  Preprocessor  = "weblogic.management.configuration.LegalHelper.checkClassName(value)"
  Default       = "&quot;MY.security.MYRoleMapperProviderImpl&quot;"
 />

 <MBeanAttribute
  Name          = "Description"
  Type          = "java.lang.String"
  Writeable     = "false"
  Default       = "&quot;MY RM provider &quot;"
 />

 <MBeanAttribute
  Name          = "Version"
  Type          = "java.lang.String"
  Writeable     = "false"
  Default       = "&quot;1.2&quot;"
 />

</MBeanType>

The Actual Provider MYRoleMapperProviderImpl.java:

public class MYRoleMapperProviderImpl implements RoleProvider, RoleMapper {
    private String description;
    private static final Map<String, SecurityRole> NO_ROLES = Collections.unmodifiableMap(new HashMap<String, SecurityRole>(1));

    private final static String RESSOURCE_URL = "<url>";
    private final static String RESSOURCE_EJB = "<ejb>";

    private enum rollen {
        READER;
    }

    @Override
    public void initialize(ProviderMBean mbean, SecurityServices services) {
        description = mbean.getDescription() + "\n" + mbean.getVersion();
    }

    @Override
    public String getDescription() {
        return description;
    }

    @Override
    public void shutdown() {

    }

    @Override
    public RoleMapper getRoleMapper() {
        return this;
    }

    @Override
    public Map<String, SecurityRole> getRoles(Subject subject, Resource resource, ContextHandler handler) {
        Map<String, SecurityRole> roles = new HashMap<String, SecurityRole>();
        Set<Principal> principals = subject.getPrincipals();
        for (Resource res = resource; res != null; res = res.getParentResource()) {
            getRoles(res, principals, roles);
        }
        if (roles.isEmpty()) {
            return NO_ROLES;
        }
        return roles;
    }

    private void getRoles(Resource resource, Set<Principal> principals, Map<String, SecurityRole> roles) {
        if (resource.getType() == RESSOURCE_URL || resource.getType() == RESSOURCE_EJB) {
                            roles.put(rollen.READER.toString(), new MYSecurityRoleImpl(rollen.READER.toString(), "READER Rolle"));          
            }
    }
}

simple Role Implementation:

package MY.security;

import weblogic.security.service.SecurityRole;

public class MYSecurityRoleImpl implements SecurityRole {

    private String _roleName;
       private String _description;
       private int _hashCode;

       public MYSecurityRoleImpl(String roleName, String description)
       {
          _roleName = roleName;
          _description = description;
          _hashCode = roleName.hashCode() + 17;
       }

       public boolean equals(Object secRole)
       {
          if (secRole == null) 
          {
             return false;
          }

          if (this == secRole) 
          {
             return true;
          }

          if (!(secRole instanceof MYSecurityRoleImpl)) 
          {
             return false;
          }

          MYSecurityRoleImpl anotherSecRole = (MYSecurityRoleImpl)secRole;

          if (!_roleName.equals(anotherSecRole.getName())) 
          {
             return false;
          }

          return true;
       }

       public String toString () { return _roleName; }
       public int hashCode () { return _hashCode; }
       public String getName () { return _roleName; }
       public String getDescription () { return _description; }
}

For more information go through documentation

Now you need to configure in weblogic admin console in security realms – providers- new

Happy learning with Vinay in techartifact…..

Create user in OID

Using the Oracle-supplied Java SDK’s
The sample code below uses the OID SDK’s to bind to the OID directory server and then create a new user under a specific location in the directory tree.

import oracle.ldap.util.*;
import oracle.ldap.util.jndi.*;
import javax.naming.NamingException;
import javax.naming.directory.*;
import java.io.*;
import java.util.*;
 
public class NewUser
{
final static String ldapServerName = "mlc2.acme.org";
final static String ldapServerPort = "3060";
final static String rootdn = "cn=orcladmin";
final static String rootpass = "welcome1";
 
public static void main(String argv[]) throws NamingException
{
// Create the connection to the ldap server
InitialDirContext ctx = ConnectionUtil.getDefaultDirCtx(ldapServerName,
ldapServerPort,
rootdn,
rootpass);
 
// Create the subscriber object using the default subscriber
Subscriber mysub = null;
String [] mystr = null;
try {
RootOracleContext roc = new RootOracleContext(ctx);
mysub = roc.getSubscriber(ctx, Util.IDTYPE_DN, "dc=acme,dc=org", mystr);
}
catch (UtilException e) {
e.printStackTrace();
}
 
// Create ModPropertySet with user information
ModPropertySet mps = new ModPropertySet();
mps.addProperty(LDIF.ATTRIBUTE_CHANGE_TYPE_ADD,"givenname", "John");
mps.addProperty(LDIF.ATTRIBUTE_CHANGE_TYPE_ADD,"mail", "[email protected]");
mps.addProperty(LDIF.ATTRIBUTE_CHANGE_TYPE_ADD,"userpassword", "welcome1");
 
// Create the user
User newUser = null;
try {
newUser = mysub.createUser(ctx, mps, true);
System.out.println("New User DN: " + newUser.getDN(ctx));
}
catch (UtilException e) {
e.printStackTrace();
}
}
}

To use the above sample code do the following:
1. Save the above text indicated between the begin/end cut lines into a file named NewUser.java. Note that the filename and case are important and must be exactly NewUser.java unless the code has been modified.

2. Locate the Java Development Kit (JDK) on your system. For recent Oracle installations it should have been installed under $ORACLE_HOME/jdk but could be located elsewhere.

3. Compile the NewUser.java file into a binary NewUser.class file using the following command:

/bin/javac –classpath $ORACLE_HOME/jlib/ldapjclnt9.jar NewUser.java

Since the sample code makes use of the Oracle LDAP classes it is necessary to include the classpath parameter in the javac command. The above command should complete with no errors or output and should result in a file named NewUser.class being created.

4. Execute the resulting NewUser.class file using the following command:

/bin/java –cp .:$ORACLE_HOME/jlib/ldapjclnt9.jar NewUser

Note that this time there is NO extension specified (neither .java nor .class is used) and it must be executed from the same directory where the NewUser.class file is located. Again the file is case-sensitive and must be exactly as listed above. Make note of the –cp parameter as it includes the current directory and the location of the ldapjclnt9.jar file. It is necessary to include the “.:” (this is a period followed by a colon) in the –cp parameter for the program to execute correctly.

If the NewUser.class file executes it will print “New User DN: cn=john.doe,cn=Users,dc=acme,dc=org” to the screen. The user will be created within OID in the cn=users container of the default subscriber/realm. This user can then been seen via an ldapsearch or through Oracle Directory Manager (ODM).

If any errors are encountered (such as invalid user/pass, duplicate entry, etc… then an error message will be displayed. In this simple example the error messages are of very little help other than for indicating what part of the code failed. For example, if the user already existed then the following error will be displayed:

oracle.ldap.util.UtilException: NamingException encountered in ldapAdd [LDAP: error code 68 – Object alre
ady exists]
at oracle.ldap.util.Util.ldapAdd(Util.java:2016)
at oracle.ldap.util.Subscriber.createUser(Subscriber.java:1392)
at oracle.ldap.util.Subscriber.createUser(Subscriber.java:1315)
at NewUser.main(NewUser.java:46)

Using the Native Java JNDI Packages

The OID Java API documentation shows how to search and modify entries within an OID ldap server but does not give any examples or instructions for how to create a new entry in the ldap server. This example is very similar to the above java code but uses ONLY native java packages.

The sample code below uses the Java JNDI packages to bind to the OID directory server and then create a new user under a specific location in the directory tree. This code uses NO Oracle-specific Java function calls. The sample code uses only Java packages that are supplied by Sun’s Java Development Kit.

import javax.naming.Context;
import javax.naming.NamingException;
import javax.naming.directory.*;
import java.util.*;
 
public class NewUser
{
final static String ldapServerName = "mlc2.acme.org";
final static String ldapServerPort = "4032";
final static String rootdn = "cn=orcladmin";
final static String rootpass = "welcome1";
final static String entryDn = "cn=javauser,cn=users,dc=acme,dc=org";
 
public static void main(String argv[]) throws NamingException
{
Properties env = new Properties();
env.put( Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory" );
env.put( Context.PROVIDER_URL, "ldap://" + ldapServerName + ":" + ldapServerPort + "/");
env.put( Context.SECURITY_PRINCIPAL, rootdn );
env.put( Context.SECURITY_CREDENTIALS, rootpass );
DirContext ctx = new InitialDirContext(env);
 
// Create the objclassSet to hold all the entry's objectClasses.
BasicAttribute objclassSet = new BasicAttribute("objectclass");
objclassSet.add("person");
objclassSet.add("organizationalPerson");
objclassSet.add("inetOrgPerson");
objclassSet.add("top");
objclassSet.add("orcluser");
objclassSet.add("orcluserv2");
 
// load the attributes
BasicAttributes attrs = new BasicAttributes();
attrs.put(objclassSet);
attrs.put("mail", "[email protected]");
attrs.put("cn", "javauser");
attrs.put("sn", "Campbell");
attrs.put("givenname", "Mike");
attrs.put("uid", "javauser");
attrs.put("userpassword", "welcome1");
 
//create the user in OID
ctx.createSubcontext(entryDn, attrs);
}
}

To use the above sample code do the following:
1. Save the above text indicated between the begin/end cut lines into a file named NewUser.java. Note that the filename and case are important and must be exactly NewUser.java unless the code has been modified.

2. Locate the Java Development Kit (JDK) on your system. For recent Oracle installations it should have been installed under $ORACLE_HOME/jdk but could be located elsewhere.

3. Compile the NewUser.java file into a binary NewUser.class file using the following command:

/bin/javac NewUser.java

Since the sample code does not contain any Oracle-specific packages in it there is no need to specify any classpath. The above command should complete with no errors or output and should result in a file named NewUser.class being created.

4. Execute the resulting NewUser.class file using the following command:

/bin/java NewUser

Note that this time there is NO extension specified (neither .java nor .class is used) and it must be executed from the same directory where the NewUser.class file is located. Again the file is case-sensitive and must be exactly as listed above.

If the NewUser.class file executes successfully there will be no output written to the screen. The user will be created within OID in the location specified by the entryDN variable. This user can then been seen via an ldapsearch or through Oracle Directory Manager (ODM).

If any errors are encountered (such as invalid user/pass, duplicate entry, etc… then a Java exception will occur and a stack trace will be displayed showing the error. For example, if the user already existed then the following error will be displayed:

Oracle WebCenter Portal 12c Jump Start Kit available

Great news for webcenter portal developer. Now Oracle WebCenter Portal Jump Start Kit is available. Get Webcenter Portal JSk from here

The Jump Start Kit (JSK) for WebCenter Portal is a utility that installs a fully functional version of WebCenter Portal pre-integrated with Oracle WebCenter Content, including key features enabled and preconfigured, all within a single machine instance (virtual or physical). The JSK supports Linux x86-64. It is targeted to developers or product evaluation only, and is not supported for production use.

The JSK expects you to download the required software from the Oracle Technology Network. This includes the Oracle Database, Oracle WebLogic Server, WebCenter Content, WebCenter Portal, Oracle HTTP Server, as well as Oracle Fusion Middleware utilities (see exact list with links below). It then installs and configures each of these to interoperate with each other.

The JSK then configures WebCenter Content and WebCenter Portal integration points such as Inbound Refinery, and configures several WebCenter Portal features, the pagelet producer, blogs, wikis, and lists.

You do not have to interact with the JSK installer during this process. Total run time depends on the speed of the machine being installed to, but tends to take between 1.5 to 2 hours.

The JSK portal is targeted for developer-only non-production use because of several assumptions made about the topology, including running all services on one machine.

Happy webcenter portal learning with Vinay & JSK